#
# This role sets up the various packages and scripts needed for a batcave
#

#
# make directory for nfs mounts to live in
#

- name: create /srv/web/pub for nfs mounts
  file: dest=/srv/web/pub state=directory mode=0755
  tags:
  - batcave
  - config

# https://pagure.io/fedora-infrastructure/issue/6422
- name: put openshift repo on batcave for the oc client tools
  template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
  tags:
  - batcave
  - config
  - packages
  - yumrepos

- name: install packages needed (rhel8)
  package: name={{ item }} state=present
  with_items:
  - srm                       # secure rm to delete sensitive files.
  - ansible-core              # This is our ansible master, needs ansible installed.
  - ansible_utils             # Needed for rbac-playbook
  - yum-rhn-plugin            # Needed for rhn sync
  - createrepo_c              # Needed for rhn sync
  - ostree                    # Needed for rhn sync
  - python2-sqlalchemy         # Needed for repo2json
  - bind                      # named-checkzone for dns repo
  - emacs-nox
  - nano                 
  - rpm-sign                  # for the sign-and-import playbook
  - createrepo                # for the sign-and-import playbook
  - unzip                     # general useful util
  - fpaste                    # general useful util
  - mtr                       # useful for network debugging
  - lftp                      # needed to easily pull in builds from koji for internal repos
  - git-email                 # needed to send patches for review to the mailing list
  - python3-dns                # needed to have ansible remove ip-based known_host entries
  - libvirt-client            # needed to allow migrations to be run from here.
  - easy-rsa                  # For easy copying into ansible-private for certs.
  - dnf                       # To get dnf reposync
  - dnf-plugins-core          # To get dnf reposync
  - fedora-messaging          # To send/receive messages on the amqp bus
  - ansible-freeipa           # For the IPA server configuration tasks
  tags:
  - batcave
  - config

- name: setup ssh_known_hosts file
  copy: src=ssh_known_hosts dest=/etc/ssh/ssh_known_hosts mode=0644
  tags:
  - batcave
  - config
  - fingerprints

#
# This is our ansible master, setup ansible
#

- name: setup roots bashrc to note about agents
  copy: src=root_bashrc dest=/root/.bashrc
  tags:
  - batcave
  - config

- name: run daily logview report for ansible actions.
  copy: src=logview.cron dest=/etc/cron.daily/logview.cron mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

- name: Install program for generating ticket key
  copy: src=generate_ticketkey dest=/usr/local/bin/generate_ticketkey mode=0755
  tags:
  - batcave
  - config

- name: setup cron for daily ticketkey reollover
  copy: src=ticketkey.cron dest=/etc/cron.hourly/ticketkey.cron mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

- name: setup cron for removing old pdr requests
  copy: src=pdr.cron dest=/etc/cron.d/pdr.cron mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')
#
# Set selinux booleans we need
#

- name: set selinux booleans
  seboolean: name={{ item }} persistent=yes state=yes
  with_items:
  - httpd_can_network_connect
  - httpd_use_nfs
  - httpd_can_network_relay
  - polyinstantiation_enabled
  tags:
  - batcave
  - config

#
# fedora-messaging configuration file for the applications sending messages from
# batcave
#

- name: install the fedora-messaging configuration file
  template: src=batcave-messaging.toml dest=/etc/fedora-messaging/batcave-messaging.toml
  tags:
  - batcave
  - config
  - fedora-messaging

- name: create folder where we'll place the certs
  file: path=/etc/pki/rabbitmq/ owner=root group=root mode=0755 state=directory
  tags:
  - batcave
  - config
  - fedora-messaging

- name: install the rabbitmq certificates for batcave
  copy: src={{ item.src }}
      dest=/etc/pki/rabbitmq/{{ item.dest }}
      owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
  with_items:
  - src: "{{private}}/files/rabbitmq/{{ env }}/pki/issued/batcave{{ env_suffix }}.crt"
    dest: batcave.crt
    owner: root
    group: root
    mode: "444"
  - src: "{{private}}/files/rabbitmq/{{ env }}/pki/private/batcave{{ env_suffix }}.key"
    dest: batcave.key
    owner: root
    group: root
    mode: "440"
  - src: "{{private}}/files/rabbitmq/{{ env }}/pki/ca.crt"
    dest: batcave.ca
    owner: root
    group: root
    mode: "444"
  tags:
  - batcave
  - config
  - fedora-messaging

#
# Scripts
#

#
# Hook to notify on git commits used in git repos
#

- name: setup git-notifier script
  copy: src=git-notifier dest=/usr/local/bin/git-notifier mode=0755
  tags:
  - batcave
  - config


# Hook to republish our bare repos for web viewing.
- name: setup syncgittree.sh script
  copy: src=syncgittree.sh dest=/usr/local/bin/syncgittree.sh mode=0755
  tags:
  - batcave
  - config


# The zodbot server must allow TCP on whatever port zodbot is listening on
# for this to work (currently TCP port 5050).
# Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py
# to the 'hooks' directory of the bare repo you're wishing to receive commits
# for, then add a hooks.zodbotchannel to the repo's config file.
# Lastly, add the following lines to your 'update' hook:
# reposource=$(git config hooks.reposource)
# zodbot_channel=$(git config hooks.zodbotchannel)
# python $reposource/hooks/zodbot-announce-commits.py $reposource $zodbot_channel $oldrev $newrev ${1#refs/heads/}

- name: install zodbot-announce-commits script
  copy: src=zodbot-announce-commits.py dest=/usr/local/bin/zodbot-announce-commits.py mode=0755
  tags:
  - batcave
  - config
  - zodbot

#
# This is another script to announce commits, this time to the fedmsg bus
#

- name: install fedmsg-announce-commits script
  copy: src=fedmsg-announce-commits.py dest=/usr/local/bin/fedmsg-announce-commits.py mode=0755
  tags:
  - batcave
  - config

#
# This script checks all the virthosts and logs what guests they are running.
#

- name: install vmdiff.sh cron
  copy: src=vmdiff.sh dest=/etc/cron.hourly/vmdiff.sh mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

- name: install infradocs.sh cron
  copy: src=infradocs.sh dest=/etc/cron.hourly/infradocs.sh mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')


#
# Setup public db copy script.
#

- name: setup public db copy script
  copy: src=public-db-copy.sh dest=/usr/local/bin/public-db-copy.sh mode=0755
  tags:
  - batcave
  - config
#
# Setup public db copy cron.
#

- name: setup public db copy script
  copy: src=public-db-copy.cron dest=/etc/cron.d/public-db-copy.cron mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# Setup job that runs a check/diff ansible run over all playbooks each night.
#

- name: setup checkdiff ansible job
  copy: src=ansible-playbook-check-diff.cron dest=/etc/cron.daily/ansible-playbook-check-diff.cron mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# Setup rhel6 sync script.
#

- name: setup rhel6 sync script
  copy: src=rhel6-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel6/rhel6-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')
#
# Setup rhel7 sync script.
#

- name: setup rhel7 sync copy script
  copy: src=rhel7-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel7/rhel7-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')
#
# Setup rhel8 sync script.
#

- name: setup rhel8 sync copy script
  copy: src=rhel8-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel8/rhel8-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')
#
# Setup rhel9 sync script.
#

- name: setup rhel9 sync copy script
  copy: src=rhel9-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel9/rhel9-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# sync-rhn cron job
#
- name: setup sync-rhn cron
  copy: src=sync-rhn dest=/etc/cron.d/sync-rhn mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')


#
# Setup centos sync script.
#

- name: setup centos sync script
  copy: src=centos-8-sync dest=/mnt/fedora/app/fi-repo/centos/centos-8-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# sync-centos cron job
#
- name: setup sync-rhn cron
  copy: src=sync-centos dest=/etc/cron.d/sync-centos mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# Setup centos 9s sync script.
#

- name: setup centos 9s sync script
  copy: src=centos-9s-sync dest=/mnt/fedora/app/fi-repo/centos/centos-9s-sync mode=0775
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# Setup web server config
#
- name: install web server config for batcave (mimetypes)
  copy: src=mime-types.conf dest=/etc/httpd/conf.d/mime-types.conf mode=0644
  notify:
  - reload httpd
  tags:
  - batcave
  - config
  - httpd

- name: install web server config for batcave (access rules)
  copy: src=allows dest=/etc/httpd/conf.d/allows mode=0644
  notify:
  - reload httpd
  tags:
  - batcave
  - config
  - httpd

- name: install web server config for batcave (main config)
  template: src=infrastructure.fedoraproject.org.conf.j2 dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
  notify:
  - reload httpd
  tags:
  - batcave
  - config
  - httpd
  - sslciphers

#
# this cron job creates a json file from the rhel repos
#

- name: create repo2json directory
  file: dest=/srv/web/repo/json mode=0755 state=directory owner=apache group=apache
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

- name: create repo2json cron job
  copy: src=repo2json.cron dest=/etc/cron.d/repo2json.cron mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01')

#
# ansible utils includes our rbac-playbook
#

- name: install the ansible_utils/rbac config
  copy: src={{ private }}/files/rbac/rbac.yaml dest=/etc/ansible_utils/rbac.yaml mode=0540 group=sysadmin
  tags:
  - rbac
  - batcave
  - config

#
# Setup geoip scripts.
# Other machines pull current geoip data from here.
#

- name: Install geoip download databases script
  copy: src=geoip-download-databases dest=/usr/local/bin/geoip-download-databases mode=0755
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01.phx2')

- name: Install geoip download cron
  copy: src=geoip-download-databases.cron dest=/etc/cron.d/geoip-download-databases.cron mode=0644
  tags:
  - batcave
  - config
  when: inventory_hostname.startswith('batcave01.phx2')

#
# set selinux context for /srv/web/infra
#

- name: check the selinux context of webdir
  command: matchpathcon /srv/web
  register: webdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /srv/web file contexts
  command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
  when: webdir.stdout.find('httpd_sys_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

#
# set selinux context for public git repos
#

- name: check the selinux context of ansible
  command: matchpathcon /srv/ansible.git
  register: webdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/ansible file contexts
  command: semanage fcontext -a -t git_content_t "/srv/ansible.git(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of badges
  command: matchpathcon /git/badges
  register: webdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/badges file contexts
  command: semanage fcontext -a -t git_content_t "/git/badges(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of dns
  command: matchpathcon /git/dns
  register: webdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/dns file contexts
  command: semanage fcontext -a -t git_content_t "/git/dns(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of infra-docs
  command: matchpathcon /git/infra-docs
  register: webdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/infra-docs file contexts
  command: semanage fcontext -a -t git_content_t "/git/infra-docs(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: Add SAR script for koji
  copy: src=koji_sar.py dest=/usr/local/bin/koji_sar.py owner=root mode=0700
  tags:
  - SAR
  - GDPR
  - koji
  - batcave

- name: create some tmp dirs
  file: path=/tmp-inst mode=000 owner=root group=root state=directory
  tags:
  - config
  - batcave
  - selinux

- name: create some tmp dirs
  file: path=/var/tmp-inst mode=000 owner=root group=root state=directory
  tags:
  - config
  - batcave
  - selinux

- name: put in place namespace.conf file
  copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 owner=root group=root
  tags:
  - config
  - batcave
  - selinux

- name: Create the /var/tmux folder for shared tmux session
  file: path=/var/tmux mode=2774 owner=root group=sysadmin state=directory
  tags:
  - batcave
  - tmux

- name: Let the /var/tmux folder be writable to fi-apprentice as well
  command: setfacl -R -m d:g:fi-apprentice:rwx -m g:fi-apprentice:rwx /var/tmux
  tags:
  - batcave
  - tmux

- name: Create dir for openshift pxe boot files
  file: path=/srv/web/infra/bigfiles/{{item}} mode=2660 owner=root group=sysadmin-openshift state=directory
  with_items:
  - openshiftboot
  - tftpboot/rhcos
  tags:
  - batcave
  - openshiftboot

- name: Let the openshift dir be writeable by sysadmin-openshift
  command: setfacl -R -m d:g:sysadmin-openshift:rwx -m g:sysadmin-openshift:rwx /srv/web/infra/bigfiles/{{item}}
  with_items:
  - openshiftboot
  - tftpboot/rhcos
  tags:
  - batcave
  - openshiftboot


#
# install psql to allow for some ro queries against db-datanommer01
#

- name: enable the postgresql 12 module for psql on batcave
  copy:
    dest: /etc/dnf/modules.d/postgresql.module
    content: |
      [postgresql]
      name=postgresql
      stream=12
      profiles=
      state=enabled
  tags:
  - batcave
  - postgres

- name: install psql client
  package: name=postgresql state=present
  tags:
  - batcave
  - postgres
  - config
  - packages
